Critical vulnerability in Essential Addons for Elementor Plugin puts over one million WordPress websites at risk.

Over one million WordPress websites are now at risk of an attack aimed at aquiring unauthorised access to accounts with elevated privileges. This is due to a newly found vulnerability in the Essential Addons for Elementor plugin.

The vulnerability

Cyber security experts have outlined the nature of the vulnerability, which has been identified as CVE-2023-32243. The vulnerability stems from an unauthenticated privilege escalation flaw within the Essential Addons for Elementor plugin. Consequently, any unauthenticated user can exploit this vulnerability to escalate their privileges to match that of anyone on the WordPress site.

Exploitation and consequences

By exploiting this vulnerability, attackers gain the ability to reset the password of anyone by simply knowing their username. This unauthorised access enables them to compromise accounts, including those with administrative privileges. The flaw arises from the plugin's password reset function, which fails to validate the password reset key. The password is then directly altered, allowing the hacker to take control.

What action should you take now?

If your website's vulnerability has been exploited, there are still some best practices that should make it harder for the attackers to gain access:

Enable multi-factor authentication.
If WP JSON API is enabled, the end user IPs should be whitelisted or you can implement a more robust authentication method such as public/private keys.
Keep an eye out for notifications sent by WordPress when a log in is detected outside your usual login location.

Ongoing vulnerability risks

While the patch resolves the specific vulnerability identified, the software can contain multiple vulnerabilities, and new ones may emerge in the future. Therefore, system administrators are urged to adopt additional security practices to enhance their defenses. Measures such as access control, nonce checks, and the utilisation of functions like check_password_reset_key can reinforce secure password reset processes.

The recent advisory serves as a reminder of the importance of promptly addressing security issues. A few months prior, security experts strongly urged that a different WordPress plugin required an update to address an Improper Authentication vulnerability.

These incidents underscore the evolving nature of cyber security threats and the need for vigilance among website administrators. By staying informed, promptly patching vulnerabilities when advised, and adopting best practices, businesses can fortify their websites and ensure a safer online environment.

Should you require further information or you are concerned your business has been exposed, contact us today.